Posts Tagged ‘SSLv3’

This message has recently been coming up with web sites that talk to PayPal for processing of funds. But what is it from and how to fix it ?

There has been a recent flaw found in the SSLv3 protocol, which is how some SSL (secure) certificates talk to each other across the net, esentially allowing third parties to capture the traffic and read it (thus making the encryption useless). This fault has been called POODLE(Padding Oracle On Downgraded Legacy Encryption). And it spells the end to SSLv3 as an option. TLS is now the preferred way to have SSL talk to across the net.

Looking at some of our Apache web servers, SSLv2 is off by default. So how do we make SSLv3 not be an option as well ? Its just a matter of editing the ssl.conf file (normally in /etc/httpd/conf.d folder). Look for the following line (the - removes the option, + enables the option):

SSLProtocol-SSLv2

and simply add in SSLv3

SSLProtocol -SSLv2 -SSLv3

or an even more secure way is to block all methods, and just select the ones you DO want:SSLProtocol-All +TLSv1 +TLSv1.1 +TLSv1.2

Then just do a restart of the httpd service and it should be job done. To test your website for being safe from POODLE/SSLv3 use this page